Connect2id server datasheet

1. Server endpoints

The Connect2id server supports all standard OAuth 2.0 /
OpenID Connect endpoints for single sign-on (SSO),
authorisation and identity provision. It also provides a number of powerful
RESTful and native interfaces for integration of end-user, monitoring
and administration interfaces / tools.

Standard OAuth 2.0 / OpenID Connect endpoints

Provider JWK set — Publishes the provider’s public JSON
Web Key (JWK) set and certificate chain, required by client applications to
verify ID tokens and other issued objects.

Client registration — Registers client
applications with the Connect2id server, so they can login end-users and
request ID and / or access tokens. The endpoint can be operated in a public
(open registration) or private mode. Supports the optional client read,
update and delete operations.

Direct authorisation — Facilitates direct
issue of ID, access and refresh tokens, without going through the standard
OAuth grant mechanisms. Can be used to proxy and federate external identity
providers, including legacy systems.

2. Supported OAuth 2.0 / OpenID Connect response types

The Connect2id server supports all standard OpenID Connect response
types. The server can be
configured to accept only a subset of these, either for the entire provider or
on a per client basis. The token response is generally not supported as it
falls outside the scope of OpenID Connect; OAuth 2.0 clients should use
token id_token instead.

code — Used to request an ID token and access token at the Token endpoint.

13. Offline access

The Connect2id server supports authorisations bound to a subject’s session as
well as offline access by means of long-lived OAuth 2.0 refresh tokens.

14. Subject (end-user) authentication

Password-based authentication of end-users as well as stronger multi-factor
methods are supported.

Upon successful login a client application may be informed of the employed
authentication strength and methods, communicated through the standard acr
and amr ID token claims.

The Connect2id server supports integration of arbitrary authentication
methods. Microsoft Active Directory /
LDAP is supported out of the box, through an LdapAuth
service.

15. Claims data sources

The Connect2id server supports aggregation of
claims (standard
UserInfo and others), with optional language tags, from one or more data
sources.

Sourcing of end-user claims from Microsoft Active Directory / LDAP is supported
out of the box. A generic interface is available for connecting other claims
sources, such as relational or NoSQL database, SCIM web services and HR
systems.

16. Access tokens

Self-contained: The access token is encoded as a secure JSON Web Token
(JWT) containing all necessary authorisation details for the resource server.
The JWT has an RSA signature, which the resource server can verify with the
Connect2id server’s public key. The standard RS256, RS384, RS512, PS256,
PS384 and PS512 JWS signature algorithm are supported. The JWT may also
optionally be encrypted with AES for confidentiality. The following claims
(fields) can be included in the JWT:

sub — subject (end-user ID)

cid — client ID

iss — issuer

aud — audience

scp — scope

iat — token issue time

exp — token expiration time

clm — consented OpenID claims

dat — optional custom data.

The self-contained token can also be inspected by a web call to the
Connect2id token introspection endpoints.

Identifier-based: The access token is represented by a secure 256 bit
random identifier, protected with additional SHA-256 HMAC. The corresponding
authorisation is looked up by a web call to the Connect2id token
introspection endpoint. Identifier-based tokens are intended for minimal
clients that cannot verify JWT signatures, or for applications which security
requires revocation to have an immediate effect.

17. Impersonation

Impersonation use cases are supported:

Issue of impersonated ID tokens to enable privileged users to log into a
client under a different identity.

Issue of impersonated access and refresh tokens to enable privileged users to
access protected resources under a different identity.

The Connect2id server provides a web API for querying, updating and revoking
impersonated tokens and authorisations.

18. Metrics and monitoring

The Connect2id server proves a RESTful endpoint for accessing over 100
different metrics to monitor usage and performance.